Wednesday, 23 November 2016

Irish businesses will have to cough up for new data
protection officers thanks to EU laws coming down the tracks, according to the
Irish data protection commissioner.

Speaking to the Irish Independent, Helen Dixon said
that the General Data Protection Regulation will be a "wake up call"
for Irish organisations which do not currently have such facilities in place

Ms Dixon
said that dozens of foreign-based tech companies had recently been in touch
with her office over data compliance responsibilities after a potential move to
Ireland.

The GDPR is
one of a number of data and security issues to be discussed at Dublin InfoSec
2016 today. The RDS conference, which includes talks by Wikileaks journalist
Sarah Harrison and cyber psychologist Mary Aiken, will focus on topics ranging
from how to survive being hacked to ransomware attacks and responding to data
breaches.

Breaches

The
conference is being held as news of one of the world's biggest data breaches
broke last night. Over 400 million email addresses and passwords from the
adult-themed dating network 'Adult Friend Finder' were exposed, with tens of
thousands of Irish email addresses said to be included in the breach.

Meanwhile,
Ms Dixon said that it would be a matter of months before the Irish data
regulator's office knows whether, or to what extent, Yahoo can be held
accountable for its recent data breach that affected over 500 million email
users.

"We're
in daily contact and in constant activity," she said.

"That
is the subject of significant activity for the office and is in fact a scenario
that is changing day by day in terms of the information that we're
gathering."

Last week,
Yahoo filed a document with US authorities revealing that some staff knew of
the data breach as far back as 2014. The company, which only admitted the
massive breach in September of this year, has claimed that the meltdown was
caused by state-sponsored hackers.

Monday, 7 November 2016

CHINA
HAS PASSED a controversial cybersecurity bill, further tightening restrictions
on online freedom of speech, raising concerns that it could intensify already
wide-ranging internet censorship.

The
ruling Communist Party oversees a vast censorship system – dubbed the Great
Firewall – that aggressively blocks sites or snuffs out internet content and
commentary on topics considered sensitive, such as Beijing’s human rights
record and criticism of the government.

The
law, which was approved by the National People’s Congress Standing Committee,
bans internet users from publishing a wide variety of information, including
anything that damages “national honour”, “disturbs economic or social order” or
is aimed at “overthrowing the socialist system”.

National
security

The
law requires companies to verify a user’s identity, effectively making it
illegal to go online anonymously.

It
also includes provisions for protecting the country’s networks and private user
information.

Early
drafts of the legislation drew a wave of criticism from rights groups and
businesses, which objected to its vague language.

Foreign
companies, in particular, expressed concern about language that would require
them to cooperate with Chinese authorities to “protect national security”,
broadly-worded language that was included in the final version of the law.

“This
dangerous law commandeers internet companies to be de facto agents of the
state, by requiring them to censor and provide personal data to the authorities
at a whim,” said Patrick Poon, China researcher at overseas-based rights group
Amnesty International.

Internet
rumours

Chinese
authorities have long reserved the right to control and censor online content.
But the country stepped up its controls in 2013, launching a wide-ranging internet
crackdown that targeted activists and focused on the spread of so-called
“internet rumours”.

Hundreds
of Chinese bloggers and journalists were detained as part of the campaign to
assert greater control over social media, which has seen influential critics of
Beijing paraded on state television.

Under
regulations announced at the time, Chinese internet users face three years in
prison for writing defamatory messages that are re-posted 500 times or more.
Web users can also be jailed if offending posts are viewed more than 5,000
times.

Comments
posted on social media have been used in the prosecution of various activists,
such as human rights lawyer Pu Zhiqiang.

“If
online speech and privacy are a bellwether of Beijing’s attitude toward
peaceful criticism, everyone – including netizens in China and major
international corporations – is now at risk,” said Sophie Richardson, China
Director of Human Rights Watch.

“This law’s passage
means there are no protections for users against serious charges.

The case arises
from a complaint by an individual, Daniel Lannon, that his personal data,
including details of a previous address in Louth, had been handed over
unlawfully to a private investigator.

Ryan had been
carrying out work for Croskerrys Solicitors in Dublin, a firm specialising in
debt recovery, that was acting for AIB.

The court heard
he obtained personal information from his sister-in-law, Catriona Bracken, who
was an employee of the Department of Social Protection in Athlone.

The personal
data of 61 individuals had been accessed on behalf of the two main banks in
this investigation.

Ms Bracken, AIB
and Bank of Ireland were not represented in court as the prosecution related
solely to Ryan and his company. The court heard the company was not registered
with the Data Protection Commissioner and had no authorisation to process
personal information on databases.

The court heard
that while it is not against the law for solicitors and banks to hire private
investigators, it remains a serious breach of the Data Protection Act to obtain
personal information unlawfully.

It was the
tactics and methodology used that were of serious concern in this case.

Judge Conal
Gibbons said that by publicising prosecutions of this nature, citizens would
have their rights protected and vindicated in the courts.

He also
expressed concern that banks did not take greater care to ensure the people
they were hiring to help recover debt were fully compliant with rules and
regulations.

The judge took
into account the guilty plea and the financial circumstances of Ryan when he
imposed a fine of €7,500.

The court heard
the 47-year-old father of five was in mortgage arrears.

He had no
previous convictions and received modest fees of between €45 and €100 for each
'trace' he carried out illegally.

Friday, 23 September 2016

YAHOO HAS SAID that a massive attack on
its network in 2014 allowed hackers to steal data from half a billion users and
may have been “state sponsored.”

The Data Protection Commissioner here
has been notified of the data breach by the multinational, which has its
European HQ based in Dublin.

“Yahoo
have notified us of the breach,” a spokeswoman told TheJournal.ie.

Our office has raised a number of issues for which
we’re seeking clarification on, and are waiting for a response from Yahoo.

Helen Dixon was appointed as Data Protection Commissioner
for Ireland in September 2014, heading up the office in Portharlington, Co
Laois.

Yahoo,
which confirmed details of the breach last
night, months after reports of a major hack, said its investigation concluded
that “certain user account information was stolen” and that the attack came
from “what it believes is a state-sponsored actor.”

“Based on the ongoing investigation,
Yahoo believes that information associated with at least 500 million user
accounts was stolen,” said a statement by the US internet giant in what is
likely the largest-ever breach for a single organization.

The
comments come after a report earlier this year quoted a security researcher
saying some 200 million accounts may have been accessed and that hacked data
was being offered for sale online.

Yahoo said the stolen information may
have included names, email addresses, birth dates, and scrambled passwords,
along with encrypted or unencrypted security questions and answers that could
help hackers break into victims’ other online accounts.

While there is no official record of
the largest breaches, many analysts have called the Myspace hack revealed
earlier this year as the largest to date, with 360 million users affected.law

Ammunition for hackers

Computer security analyst Graham Cluley
said the stolen Yahoo data “could be useful ammunition for any hacker
attempting to break into Yahoo accounts, or interested in exploring whether
users might have used the same security questions/answers to protect themselves
elsewhere on the web.”

He noted that while Yahoo said that it
believes the hack was state-sponsored, the company provided no details
regarding what makes them think that is the case.

“If I had to break the bad news that my
company had been hacked… I would feel much happier saying that the attackers
were ‘state-sponsored,’” rather than teen hackers, Cluley said in a blog post.

University of Notre Dame associate
teaching professor and data security specialist Timothy Carone told AFP that
the Yahoo hack fit the “big picture” when it comes to cyberattacks launched by
spy agencies in Russia, China, North Korea or other countries.

“It just smacks of traditional trade
craft,” Carone said.

It is a broad sweep of getting information on
people and building up profiles on those who may be of use to them.

Carone
described Russia, China and North Korea as the usual three suspects in
state-sponsored hacks, but cautioned that allies are not above cyber snooping
as well.

“People have to realize that anything
they put out there is fair game,” he said, stressing a need for internet users
to remain wary.

Unprotected passwords

It appeared that looted Yahoo data did
not include unprotected passwords or information associated with payments
or bank accounts, the Silicon Valley company said.

Yahoo is asking affected users to
change passwords, and recommending anyone who has not done so since 2014 to
take the same action as a precaution.

Users of Yahoo online services were
urged to review accounts for suspicious activity and change passwords and
security question information used to log in anywhere else if it matched that
at Yahoo.

“Online intrusions and thefts by
state-sponsored actors have become increasingly common across the technology
industry,” Yahoo said in a statement.

Yahoo and other companies have launched programs to
detect and notify users when a company strongly suspects that a state-sponsored
actor has targeted an account.

$4.8
billion

Confirmation of the major cyber breach
comes two months after Yahoo sealed a deal to sell its core internet business
to telecom giant Verizon for $4.8 billion, ending a two-decade run as an
independent company.

It was not immediately clear if the
data breach could impact the closing of the deal or the price agreed by
Verizon.

“Frankly, the timing couldn’t be worse
for Yahoo,” Cluley said.

The telecom firm said it was reviewing
the new information.

“Within the last two days, we were
notified of Yahoo’s security incident,” Verizon said in a statement.

“We will evaluate as the investigation
continues through the lens of overall Verizon interests, including consumers,
customers, shareholders and related communities.”

Wednesday, 14 September 2016

Austrian student
Max Schrems’ high-profile class action case over Facebook’s privacy rules has
been referred to the European Court of Justice by Austria’s highest court.

The court in Luxembourg will now have
to decide whether Max Schrems can
bring a class action suit on behalf of European or even worldwide users of the
social network.

Mr Schrems launched a class action
suit against Facebook on
behalf of 25,000 other people in 2014, accusing it of having invalid privacy
policies and processing customer data illegally.

Facebook argued that the Austrian
court did not have jurisdiction over the case, which slowly worked its way up
the Austrian legal system before being referred to the EU’s top court. The
company argues that Mr Schrems is not a consumer but an activist and so cannot
legally represent other consumers.

Mr Schrems said he hoped the European
court would be “consumer friendly” when it decided the jurisdiction question,
praising it for having been so in previous cases. “Filing thousands of
individual lawsuits before thousands of courts would be an absurd exercise,” he
said.

Procedural
questions

A spokeswoman for Facebook said: “Mr
Schrems’s claims have twice been rejected on the grounds that they cannot
proceed as ‘class action’ on behalf of other consumers in Austrian courts. We
look forward to addressing the procedural questions presented to the [European
Court of Justice] to resolve these claims.”

The referral is the latest twist in a
five-year dispute between Facebook and Mr Schrems, which began when he was a
student and has already upturned data protection law in the EU. Mr Schrems
founded the organisation Europe v Facebook, which he is funding from small
donations from “many concerned citizens” across Europe.

In a landmark judgment last year, the
European Court of Justice struck down a crucial data transfer deal that allowed
the likes of Facebook and Amazon to
transfer personal data easily from the EU to the US, following a complaint from
Mr Schrems.

The court ruled that the deal was
invalid because the data of EU citizens were not sufficiently protected from US
spies. Edward Snowden,
the US National Security Agency whistleblower, praised Mr Schrems at the time,
saying he had changed the world for the better.

A separate legal method of
transferring data across the Atlantic – known as model contract clauses – is
also under question in a related case in Ireland, again involving Mr Schrems.
These clauses are relied on by 80 per cent of companies that transfer data from
the EU to the US, lawyers estimate.

Monday, 15 August 2016

If a cyclist or homeowner uses footage from these cameras, beyond
a personal capacity, then they may be in breach of data-protection law.

“If an individual is using CCTV or a body-worn camera and
processing personal data beyond what is a ‘personal or household activity’ then
they may assume the role of a data controller and as such they would be
required to comply with data protection legislation,” a spokesperson from the
DPC’s office said.

The issue came up in the commissioner’s annual report for 2015,
published in June, listing it as one of three major data protection matters
that arose.

The spokesperson from the commissioner’s office stated however,
that where an individual processes data from such cameras for their own
personal affairs or keeps it for recreational purposes, this is exempt from the
data protection law.

However, even if the activity is exempt a person such as a
neighbour might object to it and take a civil action.

“Though outside the remit of this office, it may be the case that
even where this exemption does apply, an individual who objects to the
recording, for example a neighbour who objects to images of his or her property
being recorded, may be able to take a civil action based on the constitutional
and common law right to privacy,” said the spokesperson.

The commissioner’s report also made an audit finding on the
excessive use of body-worn cameras.

“Our general guidance in this area is that we would consider that
body-worn cameras should only be activated in extreme cases in response to
specific pre-defined criteria, where it could be justified for security and
safety purposes,” reads the report.

Friday, 5 August 2016

An EU lawmaker says dating app Tinder breaches the bloc's data
protection rules because it uses personal data without explicit consent and
should be investigated by the European Commission.

The dating app, owned by website operator Match Group Inc, imposes unlawful
conditions on users, pushing them to consent to unclear clauses that allow the
company to use their data even after they close their accounts, socialist
lawmaker Marc Tarabella said in a statement.

"Once you subscribe, the company can do whatever it wants with your data.
It can show them, distribute them to whomever or even modify them. The lack of
transparency cannot be the rule," Tarabella said.

The Belgian politician , who in 2014 was among the leading European parliament
members calling for a break-up of Google 's search engine from its
commercial services, also accused dating app Happn and jogging app Runkeeper of
violating EU data protection rules.

Tinder representatives were not
immediately available for comment.

A Commission spokeswoman said it was
up to national authorities to enforce EU rules on data and consumer protection.
However, the Commission has conducted such investigations in the past.

"The problem is always the lack
of transparency and the notion of consent," Tarabella said, adding that
companies often sell users' data to third parties without consumers being aware
or having explicitly consented to it.

EU rules protect consumers who no longer want their data to be used.
Companies are also required to provide "easy-to-understand
information" and to obtain an explicit consent from users to process
personal data.

Thursday, 14 July 2016

The European Union’s data protection laws are
intended to ensure that we can entrust personal data to our devices and online
services without fear of privacy violations. To make sure that this European
standard is not undermined, it is essential to clarify under which
circumstances personal data can be transferred to other countries – ones that
may not have the same privacy protection laws.

The European Commission will today adopt the
so-called Privacy Shield, which will allow companies to transfer personal data
from the EU to theUnited States. It follows the European Court
of Justice ruling that the previous system for the transfer of data to the US,
called Safe Harbour, violated fundamental rights to privacy.

Does Privacy Shield protect the privacy of European
users when their data is sent to the United States? Various indicators suggest
it does not.

With regard to the private sector, it is painfully
obvious that the rules give nowhere near the level of protection and principles
afforded by the EU. For example, if you share your personal information with
your doctor, you reasonably expect that he will only use this information for
the purpose of curing you – not to gossip behind your back. This expectation is
enshrined in EU law as “purpose limitation”.

Privacy Shield allows the sharing of your data for
very broad and generic purposes, such as “for all services we may provide to
you and others”. This undermines a very crucial protection. Many other data
protection rules, such as the deletion of data or the sharing of data, are
interlinked with this principle.

Privacy Shield is meant to be based on “notice and
choice”, which sounds promising. However, Privacy Shield does not give users
much “choice”. It actually gives companies a general blanket approval to use
the personal data of any person under the sun. Only in two specific cases can
users object.

They would first have to know which US company was
using their data, and then contact the company and actively “opt out”. This gives
US companies a significant competitive advantage over European firms. Under the
European “opt-in” system, companies typically have to ask customers for
consent.

In addition, the rules for legal redress are rather
complex. If European customers believe their rights have been violated, they
have to first contact private US arbitration bodies and their national
authorities, who in turn contact the US authorities, in order to be finally
able to address concerns with a “privacy shield board”.

No guarantees

None of this guarantees that the person responsible
for oversight will be empowered to actually review the practices of any company
and, for example, review servers and software. None of the options available
are directly enforceable by a customer. In sum, even if a company violates the
fundamental rights of a customer, it is very unlikely there will be any real
consequences.

The rules concerning personal data in the public
sector are equally worrisome. In its Safe Harbour ruling, the European Court of
Justice strongly criticised mass-surveillance laws in the US, which have not
changed in the meantime. While US citizens enjoy certain protection against
surveillance measures, “non-US persons” are specifically exempted.

Not only does the final Privacy Shield use the
exact same wording on mass surveillance laws as Safe Harbor, but the US now
even admits that it will continue to collect personal data stemming from Europe in bulk.

Blanket mass surveillance without any reasonable
suspicion is contrary to the principles of European human rights. European
courts have consequently ruled clearly against blanket access to personal data
for not being in line with the fundamental rights to privacy and data
protection.

Legal redress against measures in the public sector
is little more than a farce. An EU citizen may address an ombudsperson in the
US, which is not a court or independent body, but an undersecretary of the US
government.

Confirm nor deny

While the new ombudsperson can raise issues within
the US government, the reply to the individual concerned will always contain
the same two sentences: first, the US will not confirm or deny any
surveillance; and, second, all US laws were adhered to, or any non-compliance
was remedied.

This ombudsperson is not what the Europe Court of Justice meant when it
asked for individual redress.

Privacy Shield needs to fulfil the criteria laid
down in European Union law and by its courts,
which have clearly stated that blanket data collection is not compatible with
the fundamental right to data protection.

This is also a problem for European businesses that
are obliged to meet EU data protection standards but which will, under Privacy
Shield, face competition from US companies who face no such obligation. Nor
does this new deal provide legal certainty for the industry that is so
desperately needed.

The European Commission should hold off on
activating Privacy Shield until more work is done on the US side. Given the
countless insufficiencies, it is otherwise highly likely that the new Privacy
Shield will share the history of the previous Safe Harbor and be invalidated by
the European Court of Justice

Thursday, 7 July 2016

The Minister for Justice Francis Fitzgerald has obtained cabinet approval in relation to legislation that will allow Gardai to intercept emails and social media
messages, which will include Facebook, Twitter, Whatsapp and other social networks. The move comes after Gardai investigating organised crime raised concerns that criminals were communicating online, outside the remit of surveillance laws.

There is concern that the proposed legislation will not be in line with a ruling of the European Court of Justice which effectively through out a proposal for similar legislation. We cannot foresee the implications such legislation will have on privacy rights or data protection issues. Furthermore such legislation may not be in line with EU rulings.

Monday, 4 July 2016

Private Investigator James Cowleypleaded guilty to 13 charges under Section 22 of the Data
Protection Act for unlawfully obtaining access to personal data and disclosing
it to third parties without authorisation of the Department of Social
Protection. He had been hired by Permanent TSB, Zurich, Alliance and the State
Claims Agency to carry out surveillance on claimants. The prosecution has been welcomed
by the Office of the Data Protection Commissioner. It was the third successful
prosecution by the ODPC in the last two years in relation to offences committed
by private investigators.

The Data Protection Commissioner, Helen Dixon said
the following in relation to the prosecution, “This outcome is a strong signal
to private investigators that they must fully comply with data protection
legislation. As this case highlights, where private investigators fail to
comply with the law they will be rigorously pursued and prosecuted for
offending behaviour. It is also a timely reminder to all companies and
businesses which hire private investigators of their responsibilities under the
Data Protection Acts to ensure that all work carried out on their behalf by
private investigators is done lawfully. I would urge public bodies and private
sector organisations who appoint private investigators to review their terms of
engagement, in order to satisfy themselves that any means of collection of
personal data used by the investigators they hire are in line with the
law."

Fintan Lawlor, Lawlor Partners Solicitors, was
the first solicitor in Ireland to secure compensation for a data subject whose
rights had been breached under the Data Protection Acts 1988 and 2003. The plaintiff
in the case of Collins v FBD has been pursued by a private investigator.

Thursday, 12 May 2016

Lawlor Partners Solicitors welcome the commitment given by the government today in ‘a programme for partnership government’ that a new parliamentary investigation unit will be established to assist and improve the ability of the Oireachtas committees to conduct investigative work and inquiries.

Lawlor Partners has extensive experience in advising and representing clients at all stages of the inquiry process.

Wednesday, 20 April 2016

The Data Protection Commissioner has contacted Dublin City Council over its use of
images of people captured on CCTV illegally dumping household waste.

The council last week erected a poster in a litter blackspot in the
north inner city, showing 12 people caught on CCTV dumping rubbish on the
street.

The faces are slightly blurred, due to the quality of the CCTV footage,
but they would be able to identify themselves, as most likely would their
neighbours, the council said.

The poster has been bolted to a wall behind a Perspex shield at
Frankfort Cottages, near the Five Lamps, one of the city’s worst areas for
illegal dumping. CCTV cameras were installed a number of weeks ago and they had
some effect in reducing dumping.

However, within a day of the poster going up last week, the street was
clear.

“It was remarkable. For the last 10 years we’ve had signage there
warning people not to illegally dump, but every day we would have to clear up
bags, and sofas and other furniture, and even builders’ rubble, but this poster
has made such a difference,” said John McPartlan, public domain officer with
the council.

Rights to privacy

However, yesterday morning the commissioner’s office contacted the
council.

“Officials from this office have contacted the DCC in relation to the
publication of CCTV stills.

“It should be pointed out that the processing of personal data must be
done fairly, demonstrate proportionality and not be overly prejudicial to the
fundamental right of the individual to data privacy.”

Mr McPartlan said he would be responding to the commissioner this week.

“We have to make a case that our use of the images is proportionate
response to the issue, and our view is that it is, because illegal dumping
leaves the city in a terrible mess.”

He added the council had published no names and no personal information.

The poster shows people dumping refuse sacks and smaller supermarket
bags, as well as a woman dumping a suitcase and two young men dumping a sofa.

Litter blackspot

The council has been making concerted efforts to clean up the north
inner city, but the area has languished near the bottom of the Irish Business
Against Litter (Ibal) national survey, although it recently moved up from 39th
to 37th most littered urban area.

The council in December 2013 announced a “blitz” on dumping black spots
in the city where residents leave their rubbish in the streets instead of
paying for waste collection.

It established a north inner city litter action group which has gone
door to door asking people to provide proof they are disposing of their waste
legally, and has had some success in persuading households to sign up to pay to
have their bins collected.

However, no measure has had the instant effect of the poster. Local
Independent councillor Nial Ring said he and other local
councillors “fully endorsed” the measure.

“This is the nearest we can get to a name and shame policy. I would
recommend that we get more CCTV cameras and put up more posters because it has
got results.

“We don’t want to be in the Ibal relegation zone, we want to be the LeicesterCity of the litter league.”